htmlspecialchars
(PHP 4, PHP 5)
htmlspecialchars — Convert special characters to HTML entities
Description
$string
[, int $flags
= ENT_COMPAT | ENT_HTML401
[, string $encoding
= "UTF-8"
[, bool $double_encode
= true
]]] )Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with these conversions made. If you require all input substrings that have associated named entities to be translated, use htmlentities() instead.
If the input string passed to this function and the final document share the same character set, this function is sufficient to prepare input for inclusion in most contexts of an HTML document. If, however, the input can represent characters that are not coded in the final document character set and you wish to retain those characters (as numeric or named entities), both this function and htmlentities() (which only encodes substrings that have named entity equivalents) may be insufficient. You may have to use mb_encode_numericentity() instead.
The translations performed are:
- '&' (ampersand) becomes '&'
-
'"' (double quote) becomes '"' when
ENT_NOQUOTES
is not set. -
"'" (single quote) becomes ''' (or ')
only when
ENT_QUOTES
is set. - '<' (less than) becomes '<'
- '>' (greater than) becomes '>'
Parameters
-
string
-
The string being converted.
-
flags
-
A bitmask of one or more of the following flags, which specify how to handle quotes, invalid code unit sequences and the used document type. The default is ENT_COMPAT | ENT_HTML401.
Available flags
constantsConstant Name Description ENT_COMPAT
Will convert double-quotes and leave single-quotes alone. ENT_QUOTES
Will convert both double and single quotes. ENT_NOQUOTES
Will leave both double and single quotes unconverted. ENT_IGNORE
Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications. ENT_SUBSTITUTE
Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of returning an empty string. ENT_DISALLOWED
Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of leaving them as is. This may be useful, for instance, to ensure the well-formedness of XML documents with embedded external content. ENT_HTML401
Handle code as HTML 4.01. ENT_XML1
Handle code as XML 1. ENT_XHTML
Handle code as XHTML. ENT_HTML5
Handle code as HTML 5. -
encoding
-
From PHP 5.6.0, default_charset value is used as default. From PHP 5.4.0, UTF-8 is the default. PHP prior to 5.4.0, ISO-8859-1 is used as the default. Although this argument is technically optional, you are highly encouraged to specify the correct value for your code.
For the purposes of this function, the encodings ISO-8859-1, ISO-8859-15, UTF-8, cp866, cp1251, cp1252, and KOI8-R are effectively equivalent, provided the
string
itself is valid for the encoding, as the characters affected by htmlspecialchars() occupy the same positions in all of these encodings.The following character sets are supported:
Supported charsets Charset Aliases Description ISO-8859-1 ISO8859-1 Western European, Latin-1. ISO-8859-5 ISO8859-5 Little used cyrillic charset (Latin/Cyrillic). ISO-8859-15 ISO8859-15 Western European, Latin-9. Adds the Euro sign, French and Finnish letters missing in Latin-1 (ISO-8859-1). UTF-8 ASCII compatible multi-byte 8-bit Unicode. cp866 ibm866, 866 DOS-specific Cyrillic charset. cp1251 Windows-1251, win-1251, 1251 Windows-specific Cyrillic charset. cp1252 Windows-1252, 1252 Windows specific charset for Western European. KOI8-R koi8-ru, koi8r Russian. BIG5 950 Traditional Chinese, mainly used in Taiwan. GB2312 936 Simplified Chinese, national standard character set. BIG5-HKSCS Big5 with Hong Kong extensions, Traditional Chinese. Shift_JIS SJIS, SJIS-win, cp932, 932 Japanese EUC-JP EUCJP, eucJP-win Japanese MacRoman Charset that was used by Mac OS. '' An empty string activates detection from script encoding (Zend multibyte), default_charset and current locale (see nl_langinfo() and setlocale()), in this order. Not recommended. Note: Any other character sets are not recognized. The default encoding will be used instead and a warning will be emitted.
-
double_encode
-
When
double_encode
is turned off PHP will not encode existing html entities, the default is to convert everything.
Return Values
The converted string.
If the input string
contains an invalid code unit
sequence within the given encoding
an empty string
will be returned, unless either the ENT_IGNORE
or
ENT_SUBSTITUTE
flags are set.
Changelog
Version | Description |
---|---|
5.4.0 |
The default value for the encoding parameter was
changed to UTF-8.
|
5.4.0 |
The constants ENT_SUBSTITUTE , ENT_DISALLOWED ,
ENT_HTML401 , ENT_XML1 ,
ENT_XHTML and ENT_HTML5 were added.
|
5.3.0 |
The constant ENT_IGNORE was added.
|
5.2.3 |
The double_encode parameter was added.
|
4.1.0 |
The encoding parameter was added.
|
Examples
Example #1 htmlspecialchars() example
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
Notes
Note:
Note that this function does not translate anything beyond what is listed above. For full entity translation, see htmlentities().
See Also
- get_html_translation_table() - Returns the translation table used by htmlspecialchars and htmlentities
- htmlspecialchars_decode() - Convert special HTML entities back to characters
- strip_tags() - Strip HTML and PHP tags from a string
- htmlentities() - Convert all applicable characters to HTML entities
- nl2br() - Inserts HTML line breaks before all newlines in a string
- addcslashes
- addslashes
- bin2hex
- chop
- chr
- chunk_split
- convert_cyr_string
- convert_uudecode
- convert_uuencode
- count_chars
- crc32
- crypt
- echo
- explode
- fprintf
- get_html_translation_table
- hebrev
- hebrevc
- hex2bin
- html_entity_decode
- htmlentities
- htmlspecialchars_decode
- htmlspecialchars
- implode
- join
- lcfirst
- levenshtein
- localeconv
- ltrim
- md5_file
- md5
- metaphone
- money_format
- nl_langinfo
- nl2br
- number_format
- ord
- parse_str
- printf
- quoted_printable_decode
- quoted_printable_encode
- quotemeta
- rtrim
- setlocale
- sha1_file
- sha1
- similar_text
- soundex
- sprintf
- sscanf
- str_getcsv
- str_ireplace
- str_pad
- str_repeat
- str_replace
- str_rot13
- str_shuffle
- str_split
- str_word_count
- strcasecmp
- strchr
- strcmp
- strcoll
- strcspn
- strip_tags
- stripcslashes
- stripos
- stripslashes
- stristr
- strlen
- strnatcasecmp
- strnatcmp
- strncasecmp
- strncmp
- strpbrk
- strpos
- strrchr
- strrev
- strripos
- strrpos
- strspn
- strstr
- strtok
- strtolower
- strtoupper
- strtr
- substr_compare
- substr_count
- substr_replace
- substr
- trim
- ucfirst
- ucwords
- vfprintf
- vprintf
- vsprintf
- wordwrap
Коментарии
Actually, if you're using >= 4.0.5, this should theoretically be quicker (less overhead anyway):
$text = str_replace(array(">", "<", """, "&"), array(">", "<", "\"", "&"), $text);
People, don't use ereg_replace for the most simple string replacing operations (replacing constant string with another).
Use str_replace.
also see function "urlencode()", useful for passing text with ampersand and other special chars through url
(i.e. the text is encoded as if sent from form using GET method)
e.g.
<?php
echo "<a href='foo.php?text=".urlencode("foo?&bar!")."'>link</a>";
?>
produces
<a href='foo.php?text=foo%3F%26bar%21'>link</a>
and if the link is followed, the $_GET["text"] in foo.php will contain "foo?&bar!"
I was recently exploring some code when I saw this being used to make data safe for "SQL".
This function should not be used to make data SQL safe (although to prevent phishing it is perfectly good).
Here is an example of how NOT to use this function:
<?php
$username = htmlspecialchars(trim("$_POST[username]"));
$uniqueuser = $realm_db->query("SELECT `login` FROM `accounts` WHERE `login` = '$username'");
?>
(Only other check on $_POST['username'] is to make sure it isn't empty which it is after trim on a white space only name)
The problem here is that it is left to default which allows single quote marks which are used in the sql query. Turning on magic quotes might fix it but you should not rely on magic quotes, in fact you should never use it and fix the code instead. There are also problems with \ not being escaped. Even if magic quotes were used there would be the problem of allowing usernames longer than the limit and having some really weird usernames given they are to be used outside of html, this just provide a front end for registering to another system using mysql. Of course using it on the output wouldn;t cause that problem.
Another way to make something of a fix would be to use ENT_QUOTE or do:
<?php
$uniqueuser = $realm_db->query('SELECT `login` FROM `accounts` WHERE `login` = "'.$username.'";');
?>
Eitherway none of these solutions are good practice and are not entirely unflawed. This function should simply never be used in such a fashion.
I hope this will prevent newbies using this function incorrectly (as they apparently do).
if your goal is just to protect your page from Cross Site Scripting (XSS) attack, or just to show HTML tags on a web page (showing <body> on the page, for example), then using htmlspecialchars() is good enough and better than using htmlentities(). A minor point is htmlspecialchars() is faster than htmlentities(). A more important point is, when we use htmlspecialchars($s) in our code, it is automatically compatible with UTF-8 string. Otherwise, if we use htmlentities($s), and there happens to be foreign characters in the string $s in UTF-8 encoding, then htmlentities() is going to mess it up, as it modifies the byte 0x80 to 0xFF in the string to entities like é. (unless you specifically provide a second argument and a third argument to htmlentities(), with the third argument being "UTF-8").
The reason htmlspecialchars($s) already works with UTF-8 string is that, it changes bytes that are in the range 0x00 to 0x7F to < etc, while leaving bytes in the range 0x80 to 0xFF unchanged. We may wonder whether htmlspecialchars() may accidentally change any byte in a 2 to 4 byte UTF-8 character to < etc. The answer is, it won't. When a UTF-8 character is 2 to 4 bytes long, all the bytes in this character is in the 0x80 to 0xFF range. None can be in the 0x00 to 0x7F range. When a UTF-8 character is 1 byte long, it is just the same as ASCII, which is 7 bit, from 0x00 to 0x7F. As a result, when a UTF-8 character is 1 byte long, htmlspecialchars($s) will do its job, and when the UTF-8 character is 2 to 4 bytes long, htmlspecialchars($s) will just pass those bytes unchanged. So htmlspecialchars($s) will do the same job no matter whether $s is in ASCII, ISO-8859-1 (Latin-1), or UTF-8.
Just a few notes on how one can use htmlspecialchars() and htmlentities() to filter user input on forms for later display and/or database storage...
1. Use htmlspecialchars() to filter text input values for html input tags. i.e.,
echo '<input name=userdata type=text value="'.htmlspecialchars($data).'" />';
2. Use htmlentities() to filter the same data values for most other kinds of html tags, i.e.,
echo '<p>'.htmlentities($data).'</p>';
3. Use your database escape string function to filter the data for database updates & insertions, for instance, using postgresql,
pg_query($connection,"UPDATE datatable SET datavalue='".pg_escape_string($data)."'");
This strategy seems to work well and consistently, without restricting anything the user might like to type and display, while still providing a good deal of protection against a wide variety of html and database escape sequence injections, which might otherwise be introduced through deliberate and/or accidental input of such character sequences by users submitting their input data via html forms.
This may seem obvious, but it caused me some frustration. If you try and use htmlspecialchars with the $charset argument set and the string you run it on is not actually the same charset you specify, you get any empty string returned without any notice/warning/error.
<?php
$ok_utf8 = "A valid UTF-8 string";
$bad_utf8 = "An invalid UTF-8 string";
var_dump(htmlspecialchars($bad_utf8, ENT_NOQUOTES, 'UTF-8')); // string(0) ""
var_dump(htmlspecialchars($ok_utf8, ENT_NOQUOTES, 'UTF-8')); // string(20) "A valid UTF-8 string"
?>
So make sure your charsets are consistent
<?php
$bad_utf8 = "An invalid UTF-8 string";
// make sure it's really UTF-8
$bad_utf8 = mb_convert_encoding($bad_utf8, 'UTF-8', mb_detect_encoding($bad_utf8));
var_dump(htmlspecialchars($bad_utf8, ENT_NOQUOTES, 'UTF-8')); // string(23) "An invalid UTF-8 string"
?>
I had this problem because a Mac user was submitting posts copy/pasted from a program and it contained weird chars in it.
I had problems with spanish special characters. So i think in using htmlspecialchars but my strings also contain HTML.
So I used this :) Hope it help
<?php
function htmlspanishchars($str)
{
return str_replace(array("<", ">"), array("<", ">"), htmlspecialchars($str, ENT_NOQUOTES, "UTF-8"));
}
?>
i searched for a while for a script, that could see the difference between an html tag and just < and > placed in the text,
the reason is that i recieve text from a database,
wich is inserted by an html form, and contains text and html tags,
the text can contain < and >, so does the tags,
with htmlspecialchars you can validate your text to XHTML,
but you'll also change the tags, like <b> to <b>,
so i needed a script that could see the difference between those two...
but i couldn't find one so i made my own one,
i havent fully tested it, but the parts i tested worked perfect!
just for people that were searching for something like this,
it may looks big, could be done easier, but it works for me, so im happy.
<?php
function fixtags($text){
$text = htmlspecialchars($text);
$text = preg_replace("/=/", "=\"\"", $text);
$text = preg_replace("/"/", ""\"", $text);
$tags = "/<(\/|)(\w*)(\ |)(\w*)([\\\=]*)(?|(\")\""\"|)(?|(.*)?"(\")|)([\ ]?)(\/|)>/i";
$replacement = "<$1$2$3$4$5$6$7$8$9$10>";
$text = preg_replace($tags, $replacement, $text);
$text = preg_replace("/=\"\"/", "=", $text);
return $text;
}
?>
an example:
<?php
$string = "
this is smaller < than this<br />
this is greater > than this<br />
this is the same = as this<br />
<a href=\"http://www.example.com/example.php?test=test\">This is a link</a><br />
<b>Bold</b> <i>italic</i> etc...";
echo fixtags($string);
?>
will echo:
this is smaller < than this<br />
this is greater > than this<br />
this is the same = as this<br />
<a href="http://www.example.com/example.php?test=test">This is a link</a><br />
<b>Bold</b> <i>italic</i> etc...
I hope its helpfull!!
Be careful, the "charset" argument IS case sensitive. This is counter-intuitive and serves no practical purpose because the HTML spec actually has the opposite.
Unfortunately, as far as I can tell, the PHP devs did not provide ANY way to set the default encoding used by htmlspecialchars() or htmlentities(), even though they changed the default encoding in PHP 5.4 (*golf clap for PHP devs*). To save someone the time of trying it, this does not work:
<?php
ini_set('default_charset', $charset); // doesn't work.
?>
Unfortunately, the only way to not have to explicitly provide the second and third parameter every single time this function is called (which gets extremely tedious) is to write your own function as a wrapper:
<?php
define('CHARSET', 'ISO-8859-1');
define('REPLACE_FLAGS', ENT_COMPAT | ENT_XHTML);
function html($string) {
return htmlspecialchars($string, REPLACE_FLAGS, CHARSET);
}
echo html("ñ"); // works
?>
You can do the same for htmlentities()
Problem
In many PHP legacy products the function htmlspecialchars($string) is used to convert characters like < and > and quotes a.s.o to HTML-entities. That avoids the interpretation of HTML Tags and asymmetric quote situations.
Since PHP 5.4 for $string in htmlspecialchars($string) utf8 characters are expected if no charset is defined explicitly as third parameter in the function. Legacy products are mostly in Latin1 (alias iso-8859-1) what makes the functions htmlspecialchars(), htmlentites() and html_entity_decode() to return empty strings if a special character, e. g. a German Umlaut, is present in $string:
PHP<5.4
echo htmlspecialchars('<b>Woermann</b>') //Output: <b>Woermann<b>
echo htmlspecialchars('Wörmann') //Output: <b>Wörmann<b>
PHP=5.4
echo htmlspecialchars('<b>Woermann</b>') //Output: <b>Woermann<b>
echo htmlspecialchars('<b>Wörmann</b>') //Output: empty
Three alternative solutions
a) Not runnig legacy products on PHP 5.4
b) Change all find spots in your code from
htmlspecialchars($string) and *** to
htmlspecialchars($string, ENT_COMPAT | ENT_HTML401, 'ISO-8859-1')
c) Replace all htmlspecialchars() and *** with a new self-made function
*** The same is true for htmlentities() and html_entity_decode();
Solution c
1 Make Search and Replace in the concerned legacy project:
Search for: htmlspecialchars
Replace with: htmlXspecialchars
Search for: htmlentities
Replace with: htmlXentities
Search for: html_entity_decode
Replace with: htmlX_entity_decode
2a Copy and paste the following three functions into an existing already everywhere included PHP-file in your legacy project. (of course that PHP-file must be included only once per request, otherwise you will get a Redeclare Function Fatal Error).
function htmlXspecialchars($string, $ent=ENT_COMPAT, $charset='ISO-8859-1') {
return htmlspecialchars($string, $ent, $charset);
}
function htmlXentities($string, $ent=ENT_COMPAT, $charset='ISO-8859-1') {
return htmlentities($string, $ent, $charset);
}
function htmlX_entity_decode($string, $ent=ENT_COMPAT, $charset='ISO-8859-1') {
return html_entity_decode($string, $ent, $charset);
}
or 2b crate a new PHP-file containing the three functions mentioned above, let's say, z. B. htmlXfunctions.inc.php and include it on the first line of every PHP-file in your legacy product like this: require_once('htmlXfunctions.inc.php').
As of PHP 5.4 they changed default encoding from "ISO-8859-1" to "UTF-8". So if you get null from htmlspecialchars or htmlentities
where you have only set
<?php
echo htmlspecialchars($string);
echo htmlentities($string);
?>
you can fix it by
<?php
echo htmlspecialchars($string, ENT_COMPAT,'ISO-8859-1', true);
echo htmlentities($string, ENT_COMPAT,'ISO-8859-1', true);
?>
On linux you can find the scripts you need to fix by
grep -Rl "htmlspecialchars\\|htmlentities" /path/to/php/scripts/
Another thing important to mention is that
htmlspecialchars(NULL)
returnes an empty string and not NULL!
Be aware of the encoding of your source files!!!
Some of the suggestions here make reference to workarounds where you hard-code an encoding.
<?php
echo htmlspecialchars('<b>Wörmann</b>'); // Why isn't this working?
?>
As it turns out, it may actually be your text editor that is to blame.
As of PHP 5.4, htmlspecialchars now defaults to the UTF-8 encoding. That said, many text editors default to non-UTF encodings like ISO-8859-1 (i.e. Latin-1) or WIN-1252. If you change the encoding of the file to UTF-8, the code above will now work (i.e. the ö is encoded differently in UTF-8 and ISO-8859-1, and you need the UTF-8 version).
Make sure you are editing in UTF-8 Unicode mode! Check your UI or manual for how to convert files to Unicode. It's also a good idea to figure out where to look in your UI to see what the current file encoding is.
If you use htmlspecialchars() to escape any HTML attribute, make sure use double quote instead of single quote for the attribute.
For Example,
> Wrap with Single Quote
<?php
echo "<p title='" . htmlspecialchars("Hello\"s\'world") . "'">
// title will end up Hello"s\ and rest of the text after single quote will be cut off.
?>
> Wrap with Double quote :
<?php
echo '<p title="' . htmlspecialchars("Hello\"s\'world") . '"'>
// title will show up correctly as Hello"s'world
?>
One MUST specify ENT_HTML5 in addition to double_encode=false to avoid double-encoding.
The reason is that contrary to the documentation, double_encode=false will NOT unconditionally and globally prevent double-encoding of ALL existing entities. Crucially, it will only skip double-encoding for THOSE character entities that are explicitly valid for the document type chosen!
Since ENT_HTML5 references the most expansive list of character entities, it is the only setting that will be most lenient with existing character entities.
<?php
declare(strict_types=1);
$text = 'ampersand(&), double quote("), single quote('), less than(<), greater than(>), numeric entities(&"'<>), HTML 5 entities(+,!$(ņ€)';
$result3 = htmlspecialchars( $text, ENT_NOQUOTES | ENT_SUBSTITUTE, 'UTF-8', /*double_encode*/false );
$result4 = htmlspecialchars( $text, ENT_NOQUOTES | ENT_XML1 | ENT_SUBSTITUTE, 'UTF-8', /*double_encode*/false );
$result5 = htmlspecialchars( $text, ENT_NOQUOTES | ENT_XHTML | ENT_SUBSTITUTE, 'UTF-8', /*double_encode*/false );
$result6 = htmlspecialchars( $text, ENT_NOQUOTES | ENT_HTML5 | ENT_SUBSTITUTE, 'UTF-8', /*double_encode*/false );
echo "<br />\r\nHTML 4.01:<br />\r\n", $result3,
"<br />\r\nXML 1:<br />\r\n", $result4,
"<br />\r\nXHTML:<br />\r\n", $result5,
"<br />\r\nHTML 5:<br />\r\n", $result6, "<br />\r\n";
?>
will produce:
HTML 4.01 (will NOT recognize single quote, but Euro):
ampersand(&), double quote("), single quote('), less than(<), greater than(>), numeric entities(&"'<>), HTML 5 entities(+,!$(ņ€)
XML 1 (WILL recognize single quote, but NOT Euro):
ampersand(&), double quote("), single quote('), less than(<), greater than(>), numeric entities(&"'<>), HTML 5 entities(+,!$(ņ€)
XHTML (recognizes single quote and Euro):
ampersand(&), double quote("), single quote('), less than(<), greater than(>), numeric entities(&"'<>), HTML 5 entities(+,!$(ņ€)
HTML 5 (recognizes "all" valid character entities):
ampersand(&), double quote("), single quote('), less than(<), greater than(>), numeric entities(&"'<>), HTML 5 entities(+,!$(ņ€)
Thanks Thomasvdbulk for your workaround, I would like to add a precision:
When the HTML contains a link tag without new line before the script doesn't work :/
Your example:
<?php
$string = "
this is smaller < than this<br />
this is greater > than this<br />
this is the same = as this<br />
<a href=\"http://www.example.com/example.php?test=test\">This is a link</a><br />
<b>Bold</b> <i>italic</i> etc...";
echo fixtags($string);
?>
Works but this doesn't work:
<?php
$string = "
this is smaller < than this<br />
this is greater > than this<br />
this is the same = as this<br /><a href=\"http://www.example.com/example.php?test=test\">This is a link</a><br />
<b>Bold</b> <i>italic</i> etc...";
echo fixtags($string);
?>
So I add a little workaround at the beginning (before htmlspecialchars):
<?php
$text = preg_replace('/<a/', "\r\n<a", $text);
?>
I don't like that but I don't find other solution... :/
Because the documentation says
int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401
you would think that ENT_HTML401 is important. But as the notes mention, ENT_HTML401 is the default if you don't specify the doc type. This is because ENT_HTML401 === 0. So
int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401
is exactly equivalent to
int $flags = ENT_QUOTES | ENT_SUBSTITUTE